oss-fuzz: -fsanitize=fuzzer is not handling exceptions correctly
The only case I’ve verified where this happens is jsonnet. However, it looks like the same issue occurs with freeimage (load_from_memory_fuzzer), libsass (data_context_fuzzer), and opencv (imdecode_fuzzer)
To reproduce, download my patch and run these commands:
git apply jsonnet.txt
python infra/helper.py build_fuzzers jsonnet
python infra/helper.py check_build jsonnet
...
AddressSanitizer:DEADLYSIGNAL
=================================================================
==36==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f236d5b6d10 bp 0x00000090605b sp 0x7ffd7f950d68 T0)
==36==The signal is caused by a READ memory access.
==36==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
ERROR: 100% of fuzz targets seem to be broken. See the list above for a detailed information.
Check build failed
This is a stacktrace that I captured slightly before the crash occurs.
#0 __asan_handle_no_return () at /src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:598
#1 0x00000000005f7084 in (anonymous namespace)::Parser::parseTerminalBracketsOrUnary (this=0x6110000000c0) at /src/jsonnet/core/parser.cpp:591
#2 0x00000000005e5321 in (anonymous namespace)::Parser::parse (this=0x7fffffffcec0, max_precedence=<optimized out>) at /src/jsonnet/core/parser.cpp:898
#3 0x00000000005e49f8 in jsonnet_parse (alloc=<optimized out>, tokens=...) at /src/jsonnet/core/parser.cpp:1093
#4 0x00000000005caed7 in jsonnet_evaluate_snippet_aux (vm=<optimized out>, filename=<optimized out>, snippet=<optimized out>, error=<optimized out>, kind=<optimized out>) at /src/jsonnet/core/libjsonnet.cpp:492
#5 0x00000000005ca76d in jsonnet_evaluate_snippet (vm=0x60f000000040, filename=0x89c900 <.str> "", snippet=0x7fffffffdaa1 "", error=0x7fffffffd9c0) at /src/jsonnet/core/libjsonnet.cpp:667
#6 0x00000000005bbcce in ConvertJsonnetToJson(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) () at convert_jsonnet_fuzzer.cc:24
#7 0x00000000005bc011 in LLVMFuzzerTestOneInput () at convert_jsonnet_fuzzer.cc:40
#8 0x00000000004c2f35 in ExecuteCallback () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:529
#9 0x00000000004c4e54 in ReadAndExecuteSeedCorpora () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:729
#10 0x00000000004c5426 in Loop () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:779
#11 0x00000000004b437b in FuzzerDriver () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:776
#12 0x00000000004de3d3 in main () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19
The crash does not occur when -lFuzzingEngine is used instead of -fsanitize=fuzzer
The source line (parser.cpp:591) causing the crash contains: throw StaticError(tok.location, “unexpected end of file.”);
I think this crash has something to do with exceptions.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 47 (42 by maintainers)
Commits related to this issue
- [compiler-rt] Build custom libc++abi without exceptions. Summary: Since neither compiler-rt nor the libc++ we build use exceptions, we don't need libc++abi to have them either. This resolves an issu... — committed to llvm/llvm-project by morehouse 5 years ago
- [compiler-rt] Build custom libc++abi without exceptions. Summary: Since neither compiler-rt nor the libc++ we build use exceptions, we don't need libc++abi to have them either. This resolves an issu... — committed to llvm-mirror/compiler-rt by morehouse 5 years ago
@asraa can you look into your issue?